Security Control in Organization Case Study

Exclusively available on Available only on IvyPanda® Written by Human No AI

Security controls are the requirements and standard guidelines required for a standard organizational security. These requirements can be divided into security, interoperability and operations.

Security requirement

  1. An efficient system event listing: The system processing unit would automatically generate the total logs executed on a daily transaction. This is a standard requirement that must be utilized by the organization.
  2. Intrusion detection systems: This requirement provides a platform that investigates unauthorized access into the system server, system firewall and information either by an authorized staff or individual.
  3. A standard backup and Recovery module: In the event of a possible attack, the system recovery would initiate a total recovery process; this access would be made available to all authorized personnel working with for the organization.
  4. System and Information control: the requirement provides a framework for the organization’s information process.

Interoperability requirements

  • Security awareness training: this requirement seeks to address the issues relating to operational procedures within each department. Each staff a will be trained on his or her job description. This would influence the individual’s responsiveness the critical issued when the need arises.
  • Operations control and Management: the guideline will support the organization in securing each system of operations against possible attack and intrusion. The management guideline provides the procedures that must be followed to secure the entire processing unit against vulnerabilities.
  • Contingency planning: this guide will be used to carry out an efficient system maintenance program. This program will be in effect upon activation of an intrusion or attack at any system servers.

Operational requirements

  • Incident response plan: This requirement provides a framework for a quick response when the systems servers are attacked or accessed from unauthorized locations.
  • Maintenance: This requirement provides a recommendation for a regular maintenance of the entire information systems, security control units and adequate training of security workers.
  • Personal Security: each staff of the organization must be conscious of his or her environments. The personal security requirements provide the steps that must be followed to ensure safety of all individuals working in the organization.

These requirements and guidelines are some standard procedures required to have a secured information systems. A comprehensive security control plan consists of the operations of standard procedures, the management of personal security, organizational transactions, storage of data and its related components, and technical competence.

A company that follows these guidelines would surely protect the reputation of the company because it would safeguard the client base, client confidentiality, and information. Bank Solutions must have adequate knowledge regarding the kind of information that would be protected and preserved.

Selection of this guideline depends on the available resource the organization can acquire at any transaction. Prioritize the selected requirements based on immediate need, security posture, complexity, resource availability, and cost.

Immediate need

Each of the selected requirements and procedures contributes to the security control within the organization. This requirement is regarded as immediate need based on the mission and objectives of the organization. Bank Solutions would require these guidelines to manage and preserve the information based on confidentiality, integrity and reputation.

Personal security is a requirement that would be prioritized as an immediate need. The workforce of the organization must be adequately protected to protect the daily transactions and information of the company. The security of the organization and the entire database depends on the quality of security each staff of the company enjoys.

Security Posture

Security posture can be defined as the complete security strategy utilized by any organization. It consists of the internal and external components of the security network. The effect of the requirements employed in the organization’s security plan is called security posture. Every organization that utilizes these requirements above must have a security posture.

Three fundamental requirements are employed in accessing the security posture of the Bank Solutions.

  • Document all the information that would be at risk and would be a tool in the hands of your rivals, hackers, and unauthorized people.
  • Study how this information can be stolen or acquires. This would require an elaborate research on the possible routes to which this information can be assessed by unauthorized individuals (Camara, 2011).
  • Improve the security measures that would reduce the internal and external risk.

This strategy would be used to access the company’s security posture. Thus, for the requirements above it can be prioritized based on security posture.

  1. An efficient system event listing: This requirement can be prioritized based on security posture.
  2. System and Information control.
  3. A standard backup and Recovery module.
  4. Operations control and Management.
  5. Intrusion Detection Systems.
  6. Incident response plan.

To improve the security posture at Bank Solutions, the following recommendations should be considered

  • Document all log-in and attempts for forensics scan: any attack must have a trace; a proper record of all traffic would give clues to the source of the attack.
  • Attack Detection: the documented records would be used to understand the trend of attacks. This can influence early detection of an attack or possible threat to the organization.
  • Do not overload the security systems: System failures are risks that must be controlled.

Resource availability

None of the selected requirements fall into this category; this is because the Bank Solution is an enterprise that seeks to expand its services on a regional scale, to achieve this, the resource must be available to meet the standard requirements for business transaction. Note that these requirements determine the level of integrity and confidence the organization can attract.

Complexity and Cost

Based on complexity and cost three of the selected requirements fall into the category.

Maintenance: maintaining of the entire security system is generally expensive. The company would be ready to make financial commitments to achieve their desired objectives.

Contingency plans: the quickest way to deal with cyberattack is to dramatize a virtual risk then use the security checks to control the effect of the attack. This procedure can be complex and cost-effective. Most organizations would prefer to skip this procedure and apply the sit and wait approach. The financial implication of the latter may be more that the former.

Security awareness training: the training of plan participants can reduce the effect of damage in an event of cyberattack. The knowledge of different security measures by the plan personnel can be the difference between a fatal attack and an unsuccessful one.

This means that the staff would complete a regular research and training to monitor and update him or herself with the latest information in the global world. This can be achieved with its financial implications; such training requires huge financial commitment (Camara, 2011).

Using NIST Special Publication 800-53, select one control per requirement and describe how this control enhances the security posture or facilitates the secure implementation of the requirement

Security requirements and their controls

Security control is a plan that manages the entire security plan of the organization. The security plan depends on the structural organizational architecture of the company. It defines the limitations and access to the system server. It also provides a platform from which all information can be transferred from one location without compromising the integrity of that source of the information.

The security plan provides a blueprint for any modification in the operations of the security plan. Access and privilege: The security control used by the organization would restrict the access of unauthorized users. Those who will have access must be duly assigned to a task that requires access clearance or must have the required security privilege.

This would be done in accordance with the mission of the organization. The privilege is also limited to an individual. The area of visibility in terms of access to secured files while performing a transaction is restricted. The information processing units provide separate platforms from which each user can log-in and this will not be altered during multiple log-in.

The security control enhancement provides the authorized user with information regarding the number of attempts that was made on the server and the number of users that have gained access to the server room. In a situation where an unauthorized user tries to access the server, the system would automatically shut down after repeated attempts and such an intrusion is tracked by the system tracker.

The system may decide the limit of the log-in attempt after which the server would enter the hibernation mode. System notifications are enabled on the server port; this would be flagged when a user has gained access to the system server. At this point the system would initiate safety measures to verify the authenticity of the user account.

When a particular system is used by the public, the system controls blocks any attempt to access restricted files by creating a virtual block on restricted information, or making the information inaccessible by the intended user. System notification is enforced when such a user attempts to access restricted files and the location of the user is documented and related the appropriate security personnel.

Security control measures provide the dates of all log-in attempts made by all users and the location of files and information accessed during such attempt. This information would be used to track any hacker or analyze an attack that was made. The number of attempts given to a particular user is restricted by enforcing system lock.

This would limit the maximum number of access to a specific number. The system provides a platform that would not require user authentication. This platform will be used by senior executives within the organization. This security control is enabled at instances when identification of user account must be bypassed.

Note that this security control is different from multiple log-in attempts or attempts from unauthorized users (Swanson & Guttman, 1996). Modification of the secure servers is enabled and such access is granted to authorize users within the organization. These modifications are carried out on a regular basis.

The aim of the modification could be to add or remove a particular input in view of the security challenges of the organization. Modifications are made on the server system to reduce the risk of compromise when the system serve are accessed from different locations outside the bank. This may be a mobile device or a personal platform.

Security controls are enforced on mobile devices, and authorized connections are allowed when the user fulfills the requirements as stipulated by the organization. Any attempt to deviate from the system regulation that governs access to information, the system would enter into hibernation mode for the restricted user.

The system server disables administrator’s log-in and enforces user’s identity checks. The use of storage devices would be restricted for users that do not have level clearance within the organization. This is done to limit the use of storage devices to either retrieve information from the server, or upload viral attack into the server firewall (“National Institute of Standards and Technology,” 2009).

Operational requirements and their controls

The system control plan is used to document the job responsibilities of each staff, the job description of each worker is linked to the server room for safe keeping. The user account of each staff is preloaded with security privileges that enable safe entry into the organizational building and other restricted areas.

The system control provides a platform where all user accounts are reviewed based on their performance with the organization. When an individual is sacked from the organization, the security clearance of that staff is closed without affecting the system log-in of other users.

The system block the extension of user rights and monitors the time used by a user and sections of the organization’s information that was accessed. Name tags are used to represent information transferred from one location to another (International Standards Organization, 2000).

The system firewall protects secured filed from any intrusion from unauthorized users, the section of confidential files is encrypted and stored in different locations. When the system is under attack, a complete cleanup is enforced this would erase the entire data in that location. Modification of security privileges is done from the system firewall.

This feature is used to either reduce or increase the rights of an individual to access certain information from the organization (“National Institute of Standards and Technology,” 2009). Security checks are placed on the system servers to restrict the outflow of information from the organizational server to a different location.

The system control unit provides a platform that monitors the threat level on the system server. Each threat is examined as a separate entity. Recommendations are made and the security personnel implement the required recommendations after accessing the extent of damage.

Damage control procedure is enforced in a situation where the attack was successful and recovery of the entire system data done. Business transactions are documented on the system server and the exact time and date are stored on the server.

In cases where individual give a false account of their transaction, the security control is used to track the transaction executed within the time frame, this analysis would help to ascertain what type of transaction occurred at that time. The system controls protect the server files against possible hazards such as fire, flooding to mention a few. Files saved on the system can be retrieved by qualified and authorized user.

References

Camara, S. (2011). Disaster Recovery and Business Continuity: A Case Study for CSIA 485. Journal of Information Systems Education, Vol. 22 (2).

International Standards Organization. (2000). Technology Code of Practices for Information Security Management. First edition. ISO/IEC 17799:2000(E).

National Institute of Standards and Technology: Recommended Security Controls for Federal Information Systems and Organization. (2009). NIST Special Publication 800-53 Revision 3. Web.

Swanson, M., & Guttman, B. (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems (NIST Special Publication 800-14). National Institute of Standards and Technology. Web.

Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2019, July 2). Security Control in Organization. https://ivypanda.com/essays/security-control-in-organization/

Work Cited

"Security Control in Organization." IvyPanda, 2 July 2019, ivypanda.com/essays/security-control-in-organization/.

References

IvyPanda. (2019) 'Security Control in Organization'. 2 July.

References

IvyPanda. 2019. "Security Control in Organization." July 2, 2019. https://ivypanda.com/essays/security-control-in-organization/.

1. IvyPanda. "Security Control in Organization." July 2, 2019. https://ivypanda.com/essays/security-control-in-organization/.


Bibliography


IvyPanda. "Security Control in Organization." July 2, 2019. https://ivypanda.com/essays/security-control-in-organization/.

More Essays on Computer Security
If, for any reason, you believe that this content should not be published on our website, you can request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
1 / 1